• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Introduction to Asset Store Kit
2
3Asset Store Kit (ASSET for short) provides a series of open APIs to securely store and manage short sensitive data, including but not limited to passwords (accounts/passwords), tokens (application credentials), and important plaintext (such as bank card numbers).
4
5## Basic Concepts
6
7The secure storage of assets depends on the underlying universal keystore. Specifically, the universal keystore implements the asset encryption, decryption, and access control in a secure environment (such as a TEE). The sensitive user data will never be disclosed even if the system is attacked.
8
9The AES256-GCM algorithm is used to encrypt and decrypt assets. The following access control mechanisms are used to protect assets against unauthorized access:
10
11* Owner-based access control: All assets are protected by this mechanism by default.
12  * An asset can be accessed only by its owner (service that writes the asset).
13  * ASSET obtains the asset owner identity from the system service. Even if the service identity is spoofed, the spoofer cannot obtain the data of other services.
14  * The asset encryption/decryption also protects the integrity of the asset owner identity. Even if the owner of the asset is tampered with, attackers cannot obtain data of other services.
15
16* Group-based access control:
17  * You can add multiple applications of the same developer to a group and set the ground ID when adding assets. The applications in the same group can access data with each other.
18  * The group information consists of the developer ID and group ID. The developer ID does not need to be configured. The group ID is configured during application development. For details, see [Tags in the Configuration File](../../quick-start/app-configuration-file.md#tags-in-the-configuration-file). When an application is released, it is signed by a private key to ensure the group ID integrity.
19  * You can configure multiple groups for an application and allocate assets to different groups based on their sharing scope. This allows fine-grained group-based access control.
20
21* Access control based on the lock screen status: This mechanism provides the following protection levels in ascending order of security. You can set it based on site requirements. If no protection level is set, assets are accessible only after the device is unlocked for the first time.
22  * **DEVICE_POWERED_ON**: allows access to assets after the device is powered on.
23  * **DEVICE_FIRST_UNLOCKED**: allows access to assets after the device is unlocked for the first time after power-on.
24  * **DEVICE_UNLOCKED**: allows access to assets only when the device is unlocked.
25
26* Access control based on the setting of the lock screen password: This mechanism allows assets to be accessed only after a lock screen password is set. By default, it is disabled.
27  * If this mechanism is enabled, assets can be accessed only after the user sets a screen lock password.
28
29* Access control based on user authentication: This mechanism allows assets to be accessed only after a successful user identity authentication. By default, it is disabled.
30  * If this mechanism is enabled, assets can be accessed only after a successful user identity authentication.
31  * The user authentication can be fingerprint, facial, or PIN authentication.
32  * You can set an authentication validity period, which allows access to multiple assets within the validity period. The maximum authentication validity period is 10 minutes.
33
34## Constraints
35
36* Device limitations
37
38  This kit is not supported on lite wearables.
39
40* Alias-based access
41
42  Assets are stored in the ASSET database in ciphertext and uniquely identified by the service identity and alias. The alias of each asset must be unique.
43
44* Batch asset query
45
46  The assets queried are transmitted to the service through an IPC channel. Due to the limitation of the IPC buffer size, the maximum number of assets to be queried at a time cannot exceed 40.
47
48* Custom service data storage
49
50  ASSET provides 12 custom asset attributes starting with **DATA_LABEL** for services. If the 12 custom attributes are used, you can combine multiple data segments in a certain format (for example, JSON) into an ASSET attribute.
51
52  ASSET protects the integrity of the attributes starting with **DATA_LABEL_CRITICAL**. These attributes cannot be changed once written.
53
54* Group-based access control
55
56  Asset Store Kit does not support sandbox applications, dual application storage, or data access across groups.
57
58  The assets with [IS_PERSISTENT](../../reference/apis-asset-store-kit/js-apis-asset.md#tag) set to **True** cannot be shared in a group.
59
60* Asset deletion
61  1. The asset data that meets the specified conditions is deleted when **remove()** is called. For details, see [Removing Assets (ArkTS)](asset-js-remove.md) and [Removing Assets (C/C++)](asset-native-remove.md).
62  2. When an application is uninstalled, the asset data of the application will be deleted. However, if [IS_PERSISTENT](../../reference/apis-asset-store-kit/js-apis-asset.md#tag) is **true**, the asset data will be retained.
63  3. When a user is deleted, the asset data of the user will be deleted.
64  4. When a device is reset to restore factory settings, the asset data will be deleted.
65
66## Relationship with Other Kits
67
68Asset Store Kit provides secure storage of sensitive data less than 1 KB in size. To protect data greater than 1 KB, use [Universal Keystore Kit](../UniversalKeystoreKit/huks-overview.md) or [Crypto Architecture Kit](../CryptoArchitectureKit/crypto-architecture-kit-intro.md).
69